JWT library

[Alex Soto]

Hello guys, one of the main technology used in microservices to avoid to make them stateful is the usage of tokens and more concretely JWT. There are several libraries in the Java market that implements JWT (with encryption as well). Do you have in mind to use any?

I think there is:

https://github.com/jwtk/jjwt

https://github.com/auth0/java-jwt

http://connect2id.com/products/nimbus-jose-jwt

Alex.

[Ken Finnigan]

Hi Alex,

From some initial discussions we had during the BOF at JavaOne, we would focus only on defining some JWT token fields that must be present.

We'd simple define some interoperability requirements around JWT fields and each implementation could create/read the JWT token however they wanted.

Granted that may change, but that was the original idea.

Ken

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/1a6c5140-56d2-4a55-9b06-d4b564d29e2f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Antonio Goncalves]

Hi Alex,

If you look at https://jwt.io/#libraries-io, in the Java librairies, JJWT looks more complete than the others (and that's the one I use actually ;o)

Antonio

--

You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/1a6c5140-56d2-4a55-9b06-d4b564d29e2f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Antonio Goncalves
Software architect, Java Champion and Pluralsight author

Web site | Twitter | LinkedIn | Pluralsight | Paris JUG | Devoxx France

[Jean-Louis Monteiro]

Hi Alex,

Indeed that'd be cool.

I used a lot Nimbus which quite complete and well documented.

Hope it helps

--

Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CA%2BZZq99mdBYdTdu7Z1XKF8N%2BXbeoOEud_6A9tmZdPYMSNMfgpQ%40mail.gmail.com.

[Alex Soto]

Thank you, I have used Nimbus in the past too because it implements JOSE which is really useful for sensitive data. Even I collaborated with some PRs.

But now I saw jjwt which seems somehow lighter, and I wanted to know if in conference samples you plan to use any

[Antonio Goncalves]

At Devoxx BE I'll be doing a University on REST services (let's say MicroServices ;o) using the MicroProfile and Angular 2. I'm planning to use JJWT.

Antonio

On Fri, Sep 30, 2016 at 6:51 PM, Alex Soto <aso...@gmail.com> wrote:

Thank you, I have used Nimbus in the past too because it implements JOSE which is really useful for sensitive data. Even I collaborated with some PRs.

But now I saw jjwt which seems somehow lighter, and I wanted to know if in conference samples you plan to use any

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/e64629a2-1ef8-4608-bd6d-6609f3c1c345%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Alex Soto]

If you are interested I talked in JavaZone about similar topic https://www.google.es/url?sa=t&source=web&rct=j&url=https://vimeo.com/138956646&ved=0ahUKEwjK4sCvy7fPAhWCxRQKHQYqBHoQwqsBCCAwAQ&usg=AFQjCNF8TIWjseyuXfVsi8u11ZpMP-E2LQ&sig2=5WB1Kdk2xVlQmpImbd2afA

[Werner Keil]

I believe we brushed the topic at least once in the JSR 375 EG.

At least for the Java EE 8 focus I don't think it could make it into 375, but for the "Security.next" JSR or JSRs it may be a feature beside OAuth, OpenID Connect, SAML, etc.

Werner

[Alex Soto]

Hi Ken et all, did you talk about fingerprintting tokens and which fields to use?

Alex

[Werner Keil]

Alex,

As you're also an active JSON EG member, do you feel, this standard (https://tools.ietf.org/html/rfc7519) could also be relevant to any of the JSON JSRs like JSON-P/JSON-B or elsewhere?

Werner

[Alex Soto]

Hi Werner, I think it has nothing to do with JSON-P or JSON-B in the spec itself. I mean JWT is something related to security spec that might use JSON-P as low level API but that's all. JWT is at the end a JSON document with normal JSON fields and this is already supported by JSON-P. It should be the responsibility of upper levels (Security spec) to provide a field with specific name and for example signed value.

Alex.

El dissabte, 1 octubre de 2016 20:00:58 UTC+2, Werner Keil va escriure:

[Erin Schnabel]

IIRC. JJWT uses Jackson, which is why we didn't use it with some features we're building around JWT.

+1 to the notion of documenting the required fields, and letting the chosen JWT implementations vary. ;)

[Alex Soto]

So this leave us to implement a JWT based on JSON-P? Or collaborate with JJWT to create an artifact depending on JSON-P. Nimbus just depends on json-smart library.

El dilluns, 3 octubre de 2016 14:12:42 UTC+2, Erin Schnabel va escriure:

[Ken Finnigan]

From the, admittedly brief, discussions we had at the MicroProfile BOF at JavaOne.

The focus was on defining a few fields and their location within a JWT token and leaving everything else up to implementors.

When we're talking interoperability, it doesn't matter which JWT implementation is being used only that the fields we expect are in the location we expect them to be.

Ken

--

You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/ea132559-ae72-4537-9e6a-93e2e66dd1ca%40googlegroups.com.

[Antonio Goncalves]

JJWT, like Swagger, include Jackson and therefore, a few Mb of Jars. So it would be good if we could have those two only depending on JSON-P.... but that's another story ;o)

I agree with @Ken, let's just stick to interoperability for now and leave the implementations.

Antonio

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/CAKeeVe4JGMiDTFJiO7tx6Svk%2BiyB7moprDUwT%3DA8hTbM-4Th0w%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Kevin Sutter]

+1 to @Ken's comment -- it shouldn't matter which JWT implementation is chosen by any given microprofile implementation, as long as the definition of the JWT fields are properly defined.

On Monday, October 3, 2016 at 8:00:51 AM UTC-5, Ken Finnigan wrote:

From the, admittedly brief, discussions we had at the MicroProfile BOF at JavaOne.

The focus was on defining a few fields and their location within a JWT token and leaving everything else up to implementors.

When we're talking interoperability, it doesn't matter which JWT implementation is being used only that the fields we expect are in the location we expect them to be.

Ken

On Mon, Oct 3, 2016 at 8:57 AM, Alex Soto <aso...@gmail.com> wrote:

So this leave us to implement a JWT based on JSON-P? Or collaborate with JJWT to create an artifact depending on JSON-P. Nimbus just depends on json-smart library.

El dilluns, 3 octubre de 2016 14:12:42 UTC+2, Erin Schnabel va escriure:

IIRC. JJWT uses Jackson, which is why we didn't use it with some features we're building around JWT.

+1 to the notion of documenting the required fields, and letting the chosen JWT implementations vary. ;)

On Friday, September 30, 2016 at 11:27:21 AM UTC-4, Alex Soto wrote:

Hello guys, one of the main technology used in microservices to avoid to make them stateful is the usage of tokens and more concretely JWT. There are several libraries in the Java market that implements JWT (with encryption as well). Do you have in mind to use any?

I think there is:

https://github.com/jwtk/jjwt

https://github.com/auth0/java-jwt

http://connect2id.com/products/nimbus-jose-jwt

Alex.

--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.

To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.

To post to this group, send email to microp...@googlegroups.com.

[Werner Keil]

Well https://tools.ietf.org/html/rfc7797 to improve the original https://tools.ietf.org/html/rfc7519 sound like JWT is still somewhat "in progress".

To use it in a JSR like JSON-P, JSON-B or others (e.g. the Security "complex" started in JSR 375) it may not be mature enough.
Since Microprofile does not restrict itself to standards, it could add other libraries like one of the mentioned (https://github.com/auth0/java-jwt at least is under MIT License, but as long as that's not a problem, why not use it, just have to make sure, there's no catch like vendor tie-in with an issuer like jwt.io ;-)

And allow swapping to a standard solution if and when that's offered (probably not before Java EE 9, but then it should be easier to "Mix & Match" thanks to a Jigsaw foundation to Java EE)

Regards,
Werner

[Arjan Tijms]

Hi,

There's a JWT POC for JSR 375 made by EG member Rudy here: https://github.com/rdebusscher/soteria-jwt

It's Apache licensed and uses Nimbus/JOSE, which is why it's not directly in JSR 375 yet.

[Werner Keil]

According to the POM it doesn't seem to depend on other parts of JSR 375 API or Soteria at the moment, right?

java-ee 7 and Nimbus-JOSE, so it looks like it could work on top of a certain "profile" depending on which parts of Java EE 7 it needs.

Thanks,
Werner

[Arjan Tijms]

On Thursday, October 6, 2016 at 2:36:13 PM UTC+2, Werner Keil wrote:

According to the POM it doesn't seem to depend on other parts of JSR 375 API or Soteria at the moment, right?

It does, see this one: https://github.com/rdebusscher/soteria-jwt/blob/master/jwt/pom.xml

It uses the JSR 375 authentication mechanism here: https://github.com/rdebusscher/soteria-jwt/blob/master/jwt/src/main/java/be/rubus/soteria/jwt/JWTAuthenticationMechanism.java

[Arjan Tijms]

p.s.

Do note that Soteria, like e.g. Hibernate and Mojarra etc can be put into the .war in WEB-INF/lib.

[Werner Keil]

Sounds great.

As this has fewer dependencies, it could be usable as soon as JSR 375 progresses (for Microprofile unless you add "incubating" parts maybe once it's Final with Java EE 8;-)

Btw. the organization level repo on Bintray like Rudy uses in his POM is OK but for published artifacts, http://jcenter.bintray.com/ would be better. AFAIK it should be more scalable, similar to MavenCentral.

[Alex Soto]

Interesting article http://connect2id.com/products/nimbus-jose-jwt/vulnerabilities

[Werner Keil]

Alex,

Thanks for sharing.

As you know, Dmitry was just confirmed to take over JSR 374 https://jcp.org/en/jsr/detail?id=374

The Renewal Ballot will start today. Anybody who is in the EC right now, please allow me to remind you to vote, it would be a shame not just for the JCP if a "pillar of Microprofile" like JSON-P got rejected;-)
Dmitry suggested a hangout or conf call in the next few weeks. I guess discussing JWT there as a possible feature would be best. Hope you can join that call.

Werner

On Sunday, October 16, 2016 at 11:52:19 AM UTC+2, Alex Soto wrote:

Interesting article http://connect2id.com/products/nimbus-jose-jwt/vulnerabilities